| > The extension ID is derived from a private key that the developer uploads with the first upload to the app store While what you described is possible, this process isn't required or the typical way an extension ID is generated. Typically developers just upload a ZIP file on their first submission, then CWS will generate and store a private key to sign the extension for public distribution. > and the ID will change if any subsequent uploads include a different key.pem in their zip file CWS should never change an existing extension's ID. The ID is what I uniquely identifies an extension. If the ID changed, Chrome clients wouldn't be able to request an updated version of that extension. CWS & Chrome do not support migrating users from one extension to another. To the best of my knowledge CWS will reject an extension if the zip after the first submission contains a key.pem file. > Therefore, if the extension ID changes, it's possible the owner changed. If the extension ID changes, it's not the same extension. > then the new owner could push changes without even needing access to that key. This is mostly true, but there is one case where developers CANNOT update an extension without the PEM: if the dev signed the extension they submitted to CWS. To be honest I'm not even sure this is possible to do any more; as I recall this feature was a huge foot-gun and often ended up causing developers to lose their install base because they lost their private keys that they used to sign their own uploads. |